无法使用tomcat验证对CSRF令牌的发布请求 [英] Not able to authenticate post request for CSRF token with tomcat

问题描述

我正在开发一个tomcat应用程序。我正在尝试添加catlina库提供的CSRF身份验证令牌（org.apache.catalina.filters.CsrfPrevention）。我已将过滤器添加到web.xml

I am working on a tomcat application. I am trying to add CSRF authentication token provided by catlina library(org.apache.catalina.filters.CsrfPrevention). I have added filter to web.xml

<filter>
    <filter-name>CsrfFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
    <init-param>
        <param-name>entryPoints</param-name>
        <param-value>/Login</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>CsrfFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

我还更新了login.jsp

Also I have updated the login.jsp

<%  String url = '/Login?x=true';
    String encodeUrl = response.encode(url);
%>
    <form action="<%=urlEncode%" action="Post">
        <input type="text" name="username"/>
        <input type="password" name="password"/>
        <button type="submit">Login</button>
    </form>

现在我正在运行服务器登录页面正在渲染。当我输入用户名和密码时，浏览器将发送请求发送到登录servlet，CSRF_NONCE http：// localhost：9090 / Login？x = true& org.apache.catalina.filters.CSRF_NONCE = 7DE88A93A526E465566864684FEB01C9 。它有CSRF_NONCE但仍然响应状态为403.我已经阅读了很多文档但是找不到任何解决方案来验证post requet。

Now when I am running server login page is rendering. When I am entering username and password browser is sending Post request to Login servlet with CSRF_NONCE http://localhost:9090/Login?x=true&org.apache.catalina.filters.CSRF_NONCE=7DE88A93A526E465566864684FEB01C9. Its having CSRF_NONCE but still response is having status 403. I have read many document but could not found any solution to authenticate post requet.

我还要求我需要编码所有的网址，但无法找到我应该怎么做。我需要为此编写过滤器吗？

I also reaad that i need to encode all the urls but could not found how should I need to do. Do I need to write filter for that?

推荐答案

最后我得到了答案。我在这里发布给其他人。

Finally I got the answer. I am posting it here for others.

为了渲染JSP我使用的是RequestDispatcher对象

For rendering the JSP I was using the RequestDispatcher object

dispatcher.forward(request, response);

因此过滤器未应用于给定的URL。最后我找到了答案。我应该在Servlet处理程序中使用带有过滤器或response.sendRedirect方法的参数中的调度程序。

So the filter was not getting applied to the given url. Finally I found the answer. Either I should have used dispatcher in parameter with the filter or response.sendRedirect method in Servlet handler.

http://www.theserverside.com/news/thread.tss?thread_id=34168

这篇关于无法使用tomcat验证对CSRF令牌的发布请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！